Qatari contact-tracing app exposes over 1m personal data to hackers


An investigation by Amnesty International has revealed that a bug in Qatar’s coronavirus contact-tracing app put the sensitive personal details of more than a million people in the country exposed to cyber criminals.

According to Amnesty International’s security lab, the app was configured in such a way that would have allowed hackers “to access highly sensitive personal information, including the name, national ID, health status and location data of more than 1 million users”.

Claudio Guarnieri, the lab’s head, said the flaws, fixed following their discovery, “should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards”.

The app is mandatory for Qatari residents to install on their mobile phones. It became compulsory on 22 May, with a penalty of up to three years in prison for people found to have not downloaded it.

The Qatari app uses a mixture of GPS and Bluetooth technology to track Covid-19 cases and warn people who may have been exposed to an infectious person. Like the UK’s app, it operates on a centralised model allowing the country’s interior ministry access to the information it gathers.

However, it gathers much more information than most similar apps, including the location of the user, which it links directly to their name and national ID, a choice that Amnesty describes as “highly problematic”.

The data-hungry approach favoured by Qatar is in stark contrast to Switzerland, which this week launched its own Covid contact-tracing app, SwissCovid, the first in the world to be built around privacy-first technology developed by Apple and Google. It operates in a “decentralised” manner, with Swiss health authorities receiving no information that can be used to track the pace of the outbreak.

The Swiss app is used only by essential workers since primary legislation needs to be passed by the country’s MPs, which the government hopes can happen by June, before it can be made available to the general public

Other countries, including the UK and Australia, come down somewhere between Switzerland and Qatar on the amount of data they are gathering with the apps.

A study from Johns Hopkins University in the US argues that may be the best position. The report, Digital Contact Tracing for Pandemic Response, argues that privacy should not outweigh public health goals and other values.

It also criticises Apple and Google for unilaterally setting the terms of use at a time when such broad public interests are at stake.

“Technology companies should not alone control the terms, conditions, or capabilities of DCTT [digital contact-tracing technologies], nor should they presume to know what may be acceptable to members of the public,” the report concludes, arguing that “there is insufficient evidence that public trust would be threatened by a DCTT system that has the capacity to securely collect location data, integrate public health authorities, and enable voluntary sharing of certain user data (eg location data) with those authorities.”

Jeffrey Kahn, the report’s author, added: “Too much emphasis on privacy could severely limit the ability to gather information that is critical for effective and efficient contact tracing to help beat the pandemic, and so the full range of interests and values of the public must drive this conversation–and not just those asserted by tech companies.” (Source: The Guardian)